Signal is end-to-end encrypted and collects only a tiny amount of personal information. But there’s more to it than that – these are the privacy and security settings you need to change.
Millions of people have flocked to the non-profit app, which collects almost no personal data from its users. If you’ve recently made the switch or are thinking about doing so – there’s plenty of reasons why you should pick Signal instead of WhatsApp although there are other WhatsApp alternatives – here’s our guide to making the most of its privacy-enhancing features.
It’s available in the Android and iOS app stores, and there is an official Android APK for users of Android variants without the Google Services Framework, such as Lineage OS and /e/. Your primary Signal device has to be a phone right now, but dedicated clients are available for computers and tablets without a mobile SIM, covering Windows, macOS, Linux, and iPad OS.
Once installed, you’ll have to connect Signal Desktop or iPad to your phone. When the desktop client shows you a QR code open Signal on your phone, go to ⋮ > Settings > Linked devices and tap the plus sign icon at bottom right to open a QR scanner and connect your computer. Signal doesn’t currently support using multiple mobile phones or more than one Android device on a single account.
If you lose access to the phone number your Signal account is linked to, you can still recover your account using your Signal PIN – you’re automatically prompted to create and regularly re-enter this to help you remember it. You can change it in Signal’s Privacy settings, disable reminders, and require that your PIN has to be provided to register Signal, even if the phone number remains the same, helping to protect against phone number hijacking.
The PIN can be disabled entirely in Settings > Advanced > Advanced PIN settings, and this means that no data will be restored when you re-register Signal with your phone number unless you create and restore a manual, password-protected backup via Settings > Chats and media > Chat backups.
KEEP IN CONTACT
When you first load it, Signal will ask for access to your phone contacts. If any of their phone numbers is associated with a Signal account, it’ll be automatically added to your Signal contacts list. To invite others, tap the ⋮ icon at the top right and select Invite friends. This will generate a link to Signal’s mobile install page, which you can share to anyone in your address book via SMS by tapping the Share with contacts, or via other apps by hitting Choose how to share.
You can also set Signal as your default SMS app in ⋮ > Settings > SMS and MMS, but remember that these messaging exchanges will not be encrypted. We recommend keeping your messaging apps separate so as to minimise potential confusion here.
If you’re moving from WhatsApp to Signal, it’s likely that you’ll want to bring (or try to persuade) the people you chat with on the Facebook-owned messaging service across as well. There’s a simple way to create groups and share a link with other people that lets them join.
To start a Signal group, go to ⋮ > New group and select the people you want to invite from your phone contacts or by entering their phone number. Once a group’s been created – this doesn’t apply to legacy groups created before Signal’s October 2020 update – you can add new people who aren’t in your phone contacts to it by tapping into the group then hitting ⋮ > Group settings and scrolling down to the plus sign next to Add members.
Just above that, you’ll see an option called Group link tap it, then turn it on, and you’ll be able to generate a link that’ll invite people to join your new group. This is hugely useful if you want to share a link with your entire WhatsApp group chat before you leave Facebook’s services altogether.
For security, you can reset the link whenever you link and you can enable member request approval, which means that you or another admin will have to confirm everyone who wants to be added. The Group settings page shows everyone in the group, allows Admins to remove members and confer admin status on others, and, if you’re a member of a group you can leave it or block it here.
Both Groups and direct conversations with one other person support disappearing messages, which you’ll find via the ⋮ menu. You can set the duration for which they’ll be visible here, as well. Once they’ve expired, it’s not possible to retrieve them.
Finally, if you don’t want to hear from someone ever again, an option at the bottom of your Conversation settings allow you to block all messages from that person.
BOOST PRIVACY AND SECURITY
When talking to others, either individually or in groups, you’ll see periodic messages about their safety number having changed. This usually happens if they’ve reinstalled the app or switched to a different device.
If the conversation needs to be secure from man-in-the-middle attacks – for instance if you’re a journalist speaking to a confidential source – then you should contact your interlocutor by other means and confirm your safety numbers. Tap on the notice telling you that your safety number has changed to display it. And if you’d like to make sure your business isn’t shared with anyone who might pick up your locked phone, go to Settings > Notifications > Show and select Name only or No name or message if you don’t want full message previews to be displayed on your lock screen.
In the Privacy menu, you can enable additional security features, including a screen lock with the timeout of your choice, requiring your Android biometric or code unlock to open it, a screenshot blocker of the kind used to protect against certain types of malware and incognito keyboard mode.
For proper privacy, you should enable that last one, as it prevents learning keyboards such as Google’s Gboard from phoning home with data about what you’ve typed.
Scroll down to the Communication heading, and you’ll be able to relay all voice calls through the Signal server, concealing your IP address at the cost of call quality, disable read receipts and typing indicators so your chat partners can’t tell that you’ve received or are writing a message, and turn off link previews. Signal’s handling of link previews is built with security in mind – Signal says its technical infrastructure never sees the link that is sent.
While most of Signal’s features are reasonably apparent as you browse through its settings, its Sealed Sender technology benefits from a little more explanation: this adds an extra layer of encrypting to the message delivery process, not only encrypting the message and user profile but additionally encrypting the metadata package used to identify the sender so it’s only decrypted on arrival. The intention is to keep correspondents’ identities secure against any potential interception attempts. This is a feature aimed at the very privacy conscious.
ENHANCE EXTERNAL SECURITY
Even when your messages are end-to-end encrypted, the text of your communications is only as secure as the device they’re stored on. If your device is compromised, either physically or remotely, you can kiss your privacy – and that of the messages others have sent you – goodbye. Working out if your accounts have been hacked is costly in terms of your time as well as data and privacy.
One potential threat vector that’s gained recent attention, highlighted by technologist Naomi Wu, is that your smartphone’s keyboard app could be compromised. This would negate the security of pretty much every communications app on your phone.
Signal has some internal mitigation for this in the form of its keyboard incognito mode, which prevents keyboard apps from retaining what you type. But if you don’t trust your current keyboard app, or are concerned that it could be compromised, you can install an open-source alternative, which opens the code up to community auditing, at least.
Simple Keyboard, OpenBoard, AnySoftKeyboard and Hacker’s Keyboard, all available via the open source F-Droid app store, are lightweight, low-permissions alternative keyboards with published source code. F-Droid apps don’t auto-update by default, which further helps to prevent supply chain attacks.
RAISE THE BAR
As users, we should demand and expect end-to-end encryption for all our messaging, across all platforms and providers. The fact that I might exclusively use my messenger to send shopping lists and cat photos doesn’t mean that my privacy isn’t important.
Fortunately, Signal is simple, approachable and works beautifully as a day-to-day messaging app. But encrypted messaging should never be allowed to become the exclusive domain of a special app that’s treated as both the go-to choice for secure communications and a sign that someone may have something to hide.
Your privacy and security has intrinsic value, and end-to-end encryption needs to become the minimum standard for online communication, not its apex.
Find more news updates in the News section.